b'               U.S. DOT-OIG/AASHTO Audit Subcommittee\n      Risk Assessment of State Transportation Agency Payment Process\n\n\n Guide Used to Conduct Risk Assessments in Fiscal Year 2003\nBackground\n\nThe United States Department of Transportation (DOT) is investing record\nfunding amounts to improve the transportation system\xe2\x80\x99s infrastructure and safety.\nThe Transportation Equity Act for the 21st Century, or TEA-21, authorized about\n$180 billion in Federal-aid highway funding to State transportation agencies\n(States) for the 6-year period ending in Fiscal Year 2003. This funding amount is\nexpected to continue in future years. While testifying before the House and Senate\nAppropriations Committees in April 2001, Secretary Mineta stated that one of his\npriorities is to ensure that the Federal government receives what it pays for and\nthat major transportation projects are managed wisely and appropriately.\n\nStates make construction progress payments to prime contractors at least once per\nmonth. Construction payment estimates, prepared by State engineers and\napproved by State project managers, are based on the value of work performed and\nmaterials delivered or stockpiled in accordance with the construction contract.\nPayment estimates are based on supporting documentation, such as inspection\nreports, estimate books, quantity weight tickets, and construction diaries.\n\nStates also pay consultants for various professional services, such as project\noversight, project design, environmental services, and quality assurance. State\nproject managers assess consultants\xe2\x80\x99 performance based on periodic meetings,\nstatus reports, and interaction with the consultants. Consultants submit monthly\ninvoices that project managers approve before payment processing. Consultants\nare generally not required to provide supporting documentation with invoices, but\nthe costs are subject to a State audit.\n\nRisk Assessment Objective\n\nThe objective of this risk assessment is to identify internal control weaknesses and\nbest practices related to payments for highway construction contractor and\nconsultant services.\n\nScope and Methodology\n\nThis risk assessment evaluates internal controls over the Federal-aid payment\nprocess and tests a random sample of Federal-aid expenditures to determine\nwhether Federal funds were used properly and all costs were adequately\ndocumented and supported.\n\x0c               U.S. DOT-OIG/AASHTO Audit Subcommittee\n      Risk Assessment of State Transportation Agency Payment Process\n\n\nAssessing internal controls. To evaluate internal controls over the State payment\nprocess, the risk assessment uses the General Accounting Office\xe2\x80\x99s Internal\nControl Management and Evaluation Tool, specifically the Control Activities and\nMonitoring Standards. Risk assessment steps based on these Standards follow.\n\nTesting Federal-aid expenditures. To determine whether Federal-aid payments to\nconstruction contractors and consultants are proper, this risk assessment tests a\nrandom sample of payment estimates selected from the universe of payment\nestimates for construction expenditures during the most recent 12-month period.\nSample items should be traced to supporting source documentation such as\nconsultant invoices, construction payment vouchers, estimate books, daily\ninspection reports, construction diaries, and material weight tickets, etc.\n\nPreliminary Planning\n\nKey documents needed at least 2 weeks before field work begins\n\n\xe2\x80\xa2 Amount of Federal-aid highway funds apportioned to the State for the last\n  three Fiscal Years.\n\n\xe2\x80\xa2 Amount of Federal-aid expenditures during the most recent Fiscal Year,\n  stratified by dollar value.\n\n   \xe2\x80\xa2 Data file (preferably in Microsoft Excel) containing the universe of\n     Federal-aid expenditures for the most recent Fiscal Year. The following\n     fields of information are needed:\n\n      \xe2\x88\x92   District number/location\n      \xe2\x88\x92   Federal/State project number\n      \xe2\x88\x92   Full Federal oversight or exempt from Federal oversight\n      \xe2\x88\x92   Transaction date\n      \xe2\x88\x92   Transaction amount\n      \xe2\x88\x92   Type of expenditure (construction, consultant, etc.)\n      \xe2\x88\x92   Payment voucher/invoice number\n      \xe2\x88\x92   Payment voucher line item number\n      \xe2\x88\x92   Contractor/consultant name\n      \xe2\x88\x92   Contractor/consultant number\n\n\xe2\x80\xa2 Stewardship Agreement with Federal Highway Administration (FHWA).\n\n\n\n\n                                                                               2\n\x0c               U.S. DOT-OIG/AASHTO Audit Subcommittee\n      Risk Assessment of State Transportation Agency Payment Process\n\n\xe2\x80\xa2 State transportation agency organization chart and key contact points with\n  phone numbers for personnel in project management, construction, financial\n  and accounting, and auditing divisions. Include key contacts in District\n  Offices.\n\n\xe2\x80\xa2 Current staffing levels for personnel whose responsibilities include oversight\n  of Federal-aid projects. Classify by (1) project management, (2) construction\n  engineers and inspectors, (3) financial and accounting, and (4) auditing.\n  Further classify personnel by location (Headquarters and District Offices).\n\n\xe2\x80\xa2 Position descriptions for project managers, construction engineers, chief\n  estimators, accounting/financial managers, auditors, and other positions with\n  responsibility for oversight of the Federal-aid program.\n\n\xe2\x80\xa2 List and examples of typical supporting documents required before payment to\n  construction contractors and consultants is approved.\n\n\xe2\x80\xa2 Written documentation/flowchart of State payment process for Federal-aid\n  expenditures (from beginning to end, i.e., reviewing material weight tickets to\n  preparing vouchers to processing payments to issuing checks to contractors).\n  Include manual and computer controls to prevent and detect erroneous\n  expenditures.\n\n\xe2\x80\xa2 List and examples of oversight reports used by State managers to monitor\n  contractor and consultant performance and progress for Federal-aid projects.\n\n\xe2\x80\xa2 State DOT Auditor, State Legislative Auditor, FHWA, and Federal Department\n  of Transportation Inspector General audits and reviews of State payment and\n  oversight processes for Federal-aid projects, including audit reports, risk\n  assessments, management control evaluations, process reviews, consultant\n  reports, and other reviews issued during the last three Fiscal Years.\n\nRisk Assessment Steps\n\nControl Activities - Internal control activities help ensure that management\ndirectives are carried out and occur at all levels and functions of the entity.\nControl activities are policies, procedures, and practices for approvals,\nauthorizations, verifications, reconciliations, and performance reviews. They\nensure actions are taken to address risks and are an integral part of an entity\xe2\x80\x99s\nplanning, implementing, reviewing, and stewardship of government resources.\nControl activities may be (1) applied in a computerized information system\n\n\n\n                                                                               3\n\x0c               U.S. DOT-OIG/AASHTO Audit Subcommittee\n      Risk Assessment of State Transportation Agency Payment Process\n\nenvironment or through manual processes, and (2) classified by specific control\nobjectives such as ensuring completeness and accuracy of information processing.\n\nControls can be either prevention or detection oriented. Both types of controls are\nessential to an effective internal control system. From a quality standpoint,\npreventive controls are essential because they are proactive and emphasize quality.\nPreventive controls attempt to either deter or prevent fraud and prevent loss or\nother undesirable events from occurring. Examples of preventive controls are\nseparation of duties, proper authorization, adequate documentation, and physical\ncontrol over assets. Detection controls play a critical role in providing evidence\nthat preventive controls are functioning. Detection controls attempt to detect\nfraud, waste and abuse. They provide evidence of losses but do not prevent losses\nfrom occurring. Detection controls include reviews, inspections, analyses,\nvariance analyses, reconciliations, physical inventories, and audits and\ninvestigations of fraud, waste and abuse.\n\n1.  Are key areas of authority and                 responsibility   defined   and\ncommunicated throughout the organization?\n\n(a)   Is there a current and accurate organization chart? Do clear reporting\n      relationships exist between management and employees? Are employees\n      aware of key areas of responsibility as provided in an accurate and current\n      position description?\n\n(b)   How does management ensure employees execute their jobs effectively? Is\n      responsibility for decision making clearly linked to the assignment of\n      authority? Are individuals held accountable? Review performance\n      standards for selected positions.\n\n2.     What audit resources do State transportation agencies have available\nfor oversight of Federal-aid highway construction projects?\n\n(a)   What audit resources are available to provide oversight of Federal-aid funds\n      and construction project expenditures?\n\n(b)   What is the audit division\xe2\x80\x99s workload? What are the audit priorities and\n      why were these priorities selected?\n\n(c)   What performance targets did audit management set? Did the audit\n      division meet its performance targets? Document supporting information.\n\n(d)   What audit reports are provided to the FHWA Division Office?\n\n\n                                                                                 4\n\x0c               U.S. DOT-OIG/AASHTO Audit Subcommittee\n      Risk Assessment of State Transportation Agency Payment Process\n\n\n3.     Are there appropriate policies, procedures, techniques, and\nmechanisms with respect to control activities? Determine if the State\nestablished, and if so, make copies of, written policies, procedures, and practices\nfor oversight of:\n\n      \xe2\x88\x92   payment process\n      \xe2\x88\x92   construction contractors\n      \xe2\x88\x92   professional services consultants\n      \xe2\x88\x92   management and oversight of project cost and schedule\n\n4.    Obtain summary data on the funding and cost of Federal-aid highway\nprojects for the most recent Fiscal Year. Note whether the State\xe2\x80\x99s Fiscal Year\ncorresponds to the Federal Fiscal Year (October through September).\n\n(a)   How much Federal and State funds were apportioned and obligated for\n      Federal-aid highway projects?\n\n(b)   How much Federal and State funds were apportioned and obligated for\n      Federal-aid projects with full FHWA oversight?\n\n(c)   How much Federal and State funds were apportioned and obligated for\n      Federal-aid highway projects with State oversight (exempt from FHWA\n      oversight)?\n\n(d)   What were the number and dollar value of reimbursements for Federal-aid\n      highway projects and the number and dollar value of completed Federal-aid\n      highway projects?\n\n5.    Control Activities over Payments (23 U.S.C. 121, 23 CFR Part 635.122,\nand 23 CFR Part 140)\n\n(a)   Interview State project, financial and information systems managers to\n      obtain a thorough understanding of the payment approval process. Is the\n      process documented and flowcharted? Request a copy. If not, diagram the\n      process (narrative and flowchart) for approving payments to Federal-aid\n      construction contractors and consultants. Include important internal\n      controls used throughout the process.\n\n(b)   What process is used to create, document and approve construction pay\n      estimates?\n\n\n\n                                                                                 5\n\x0c               U.S. DOT-OIG/AASHTO Audit Subcommittee\n      Risk Assessment of State Transportation Agency Payment Process\n\n(c)   What process is used to create, document and approve consultant\n      payments?\n\n(d)   Besides formal construction audits, how does the State ensure that Federal\n      funds are spent appropriately? Does the State employ documentation\n      reviewers to verify the accuracy of project records? What items do\n      documentation reviewers verify? Are statistical samples of transactions\n      tested? If not, how are projects selected by documentation reviewers?\n\n(e)   Does the State have a strategy to minimize duplicate and other erroneous\n      payments? What reports are generated to highlight duplicate and other\n      erroneous payments? Have duplicate or other erroneous payments occurred\n      during the previous two years? If yes, describe how these were found and\n      what corrective actions were taken.\n\n(f)   From the sample universe, select and test a random sample of Federal-aid\n      highway expenditures for the most recent 12-month period. Stratify the\n      sample universe by dollar value and randomly select sample items for a\n      95 confidence level and 5 percent error rate. Before beginning field work,\n      review sample item pay estimates and judgmentally select one to three pay\n      estimate line items to be verified.\n\n(g)   Trace sample items to supporting documentation, such as payment\n      vouchers, pay estimates, construction diaries, estimate books, daily\n      inspection reports, weight tickets, etc.\n\n6.    Information System Processing - The agency employs a variety of\ncontrol activities suited to information processing systems to ensure accuracy\nand completeness of payments.\n\n(a)   Observe the processing of a payment voucher/invoice from billing to\n      payment, for the State transportation agency payment system and the\n      Statewide payment system. Compare this process to the controls listed in\n      the payment flowchart. Are control procedures in place and followed?\n\n(b)   Does the State DOT payment system have controls to protect against and\n      detect possible duplicate and other erroneous payments before, during, and\n      after payment processing? These controls should address and produce\n      reports to identify:\n\n\n\n\n                                                                              6\n\x0c               U.S. DOT-OIG/AASHTO Audit Subcommittee\n      Risk Assessment of State Transportation Agency Payment Process\n\n      \xe2\x80\xa2 Possible duplicate and other erroneous transactions as data is initially\n        entered into construction and vendor information systems at the project\n        and district level;\n\n      \xe2\x80\xa2 Possible duplicate and other erroneous transactions as the transactions\n        are being extracted for transfer from the State DOT\xe2\x80\x99s payment system to\n        the State Treasury\xe2\x80\x99s payment system; and\n\n      \xe2\x80\xa2 Possible duplicate and other erroneous payments after the transactions\n        have been processed by the State Treasury\xe2\x80\x99s payment system.\n\n(c)   If these controls are not present, how does the State DOT detect and\n      prevent duplicate and other erroneous transactions?\n\n7.     Separation of Duties Related to Payments - Key duties and\nresponsibilities are divided among different people to reduce the risk of error,\nwaste, or fraud. No one individual should be allowed to control all key\naspects of a transaction or event. Interview management and operating\npersonnel and review organizational charts and job descriptions to establish\nindividual duties and responsibilities.\n\n(a)   Who estimates the amount of work completed by the contractor during the\n      billing cycle?\n\n(b)   Who inspects and confirms contractor compliance with construction\n      methods and material quality? Who compensates inspection personnel?\n\n(c)   Who authorizes payment of contractor invoices? Payment authorization\n      should be made after work is certified as complete and in accordance with\n      contract specifications, or after proper deductions have been made.\n\n(d)   Who records contractor payments?      The accounting department should\n      perform this function.\n\n(e)   Who reconciles project payments to the budget? If the same person\n      authorizes and reconciles payments for contracts, additional monitoring by\n      management is necessary.\n\n(f)   Who disburses the payment to the contractor?\n\n(g)   Who validates the expenditure after payment is made?\n\n\n\n                                                                              7\n\x0c               U.S. DOT-OIG/AASHTO Audit Subcommittee\n      Risk Assessment of State Transportation Agency Payment Process\n\n8.    Classifying, Recording, and Documenting Payment Transactions \xe2\x80\x93 Are\npayment transactions appropriately classified, recorded, and documented to\nmaintain their relevance, value, and usefulness to management in controlling\noperations and making decisions?\n\n(a)   Does written documentation exist for the accounts payable internal control\n      structure? Is the documentation readily available for examination? Is\n      documentation, whether in paper or electronic form, useful to managers in\n      controlling operations and to auditors and others involved? Note if copies\n      are available for use by personnel to assist in performing their duties.\n\n(b)   Are transactions completely and accurately classified, recorded, and\n      documented? Can the transaction be traced from initiation to completion?\n\nMonitoring \xe2\x80\x93 Management should assess internal control performance over time.\nThis assessment is accomplished by ongoing monitoring activities and by separate\nevaluations of internal controls. Ongoing monitoring occurs during normal\noperations and includes regular management and supervisory activities,\ncomparisons, reconciliations, and similar tasks. Separate evaluations, such as peer\nreviews, risk assessments, and internal audits, are periodic reviews that focus\ndirectly on the effectiveness of internal controls at a specific time.\n\nThe purpose of monitoring is to determine whether internal controls are\nadequately designed, properly executed, and effective. Management should have\nreasonable assurance that operational objectives were achieved, financial\ninformation was prepared reliably, and the organization has complied with\napplicable laws and regulations. Managers should focus on high-risk areas and,\nlike auditors, should use spot checks of transactions or basic sampling techniques\nto provide a reasonable level of confidence in the adequacy of internal controls.\n\n9.    Does State management conduct ongoing monitoring and separate\nevaluations to assess internal controls?\n\n(a)   Interview State contract administration and financial managers to determine\n      how they monitor control objectives for construction, such as ensuring\n      projects remain on budget and within schedule and that improper payments\n      are not made. Does management\xe2\x80\x99s strategy provide for routine feedback of\n      internal control performance? In what form?\n\n(b)   Interview State project management and accounting personnel to identify\n      management information systems used to provide oversight reports such as\n      project cost and schedule variances. Does State management use these\n\n\n                                                                                 8\n\x0c               U.S. DOT-OIG/AASHTO Audit Subcommittee\n      Risk Assessment of State Transportation Agency Payment Process\n\n      reports to assess achievement of objectives and monitor project\n      performance? How do they use the reports? Do they provide the reports to\n      the FHWA Division Office? Obtain examples.\n\n10.   Are communications from external parties used to corroborate\ninternally generated data or identify problems with internal control?\n\n(a)   Does the State have a hotline to which complaints or referrals of fraud,\n      waste, or abuse can be reported? What complaints and referrals involving\n      Federal-aid highway projects have been made? Interview hotline personnel\n      and obtain a listing of complaints and referrals for the last three years.\n\n(b)   What policies and procedures are used to track and report allegations of\n      fraud, waste, and abuse concerning State and Federal-aid highway\n      construction projects from internal and external sources?\n\n(c)   How responsive are external State audit agencies to reviewing allegations\n      of fraud, waste, and abuse on State and Federal-aid highway projects? How\n      are matters of oversight coordinated with the State auditors?\n\n11.   Are the scope and frequency of separate evaluations of State internal\ncontrols appropriate?\n\n(a)   Interview State Legislative Auditors, State DOT Auditors, and other State\n      agencies that audit highway projects to determine whether any pertinent\n      risk assessments or audits related to contractor payments or the payment\n      system have been issued in the last three Fiscal Years.\n\n(b)   Obtain copies of risk assessments and audit reports issued in the last three\n      Fiscal Years related to:\n\n      \xe2\x88\x92   Oversight of consultants\n      \xe2\x88\x92   Oversight of construction contractors\n      \xe2\x88\x92   State payment process\n      \xe2\x88\x92   Project management (cost and schedule)\n\n\n\n\n                                                                                9\n\x0c'